Data Breach Reporting Laws Hit Australia with Serious Implications for Businesses

February 22 marks the date Australia finally rolls out its long-awaited data breach notification laws. After years of back-and-forth, handballed from minister to minister, Australia has reached a point of maturity when it comes to lawfully disclosing serious breaches of personal and business data.

The news is likely to be music to the ears of consumers, who have been left in the dark by businesses sweeping breaches of sensitive information under the carpet.

Under the new laws, all organisations covered by the Australian Privacy Act will be accountable to the Notifiable Data Breaches (NDB) scheme. If an unauthorised person or entity accesses personal information, where it is likely to cause serious harm to that individual, the data breach will have to be reported to the Office of the Australian Information Commissioner (OAIC), as well as the individuals affected.

But, in 2018, it’s shocking to hear reports that Australian businesses still feel unprepared for the rollout of these laws. Businesses will soon be responsible for instant reporting of compromised data, incurring fines of up to AU$360,000 for individuals and AU$1.8 million for organisations. There are huge financial and brand risks at stake.

Cybersecurity is as imperative to businesses as the internet connection that helps them get their work done. If you’re one of those businesses feeling a bit shaky and unprepared for this change, here’s what you need to do.

Don’t get complacent

For businesses, one of the hardest things to measure is preventative costs against an unknown benefit — you don’t know what you might lose until you lose it.

It may seem obvious that data breaches occur when data is hacked, but breaches aren’t limited to malicious activities. Human error can also be at play within an organisation — for example, not following proper internal protocols that cause accidental loss or disclosure of information.

Other ways data breaches may occur:

• Lost or stolen laptops, tablets, smartphones
• Removable hard drives or USBs containing privileged information being passed on to other users without proper clearance or having these devices stolen
• Hacked cloud and physical databases that contain personal and private information
• Paper records stolen from unsecured bins/filing cabinets
• Employees sharing privileged information outside of an organisation without the proper authority

What businesses should do to prepare (at the very least)

The Australian Signals Directorate (ASD) has published a cybersecurity baseline known as the
“Strategies to Mitigate Cyber Security Incidents” aka the “Essential Eight,” a prioritised list of initiatives to enhance computer security. The Essential Eight are the most fundamental elements of this list, ensuring good security habits are employed throughout the organisation. The guidelines are best used as a baseline, to sense check the current security protocols, then adapted to the specific needs of the business.

Here are the eight guidelines at a glance:

1. Whitelist applications: Whitelisting applications allows only trusted applications to run
   on your network.
2. Patch applications: Patching known security vulnerabilities in a timely manner is one of
   the most simple and effective steps an organisation can take to ensure the security of
   their network and environment.
3. Disable untrusted Microsoft Office macros: Automating routine tasks with Microsoft
   Office is convenient. However, macros can contain malware or malicious packet
   commands and often result in unauthorized access to sensitive information or the
   manipulation of critical data. The use of macros should be restricted to signed and
   trusted macros. Macros should also be routinely audited to determine if the macro is still
   needed.
4. Harden user applications: In environments where web browsing is allowed, common places for attack include: malicious websites, advertisements and emails with infected
   attachments. The ASD recommends that administrators block web browser access to Adobe Flash and untrusted Oracle Java applications,
5. Restrict administrative privileges: Due to staff turnover, overlooked default accounts
   or ease-of-use, there may be administrator accounts that provide far too much privilege
   that can be used to make significant changes or bypass critical security settings.
   Administrator privileges should be restricted to only those users who need privileges.
6. Patch operating systems: Operating system vendors are continually issuing patches to
   remedy security vulnerabilities. Applying patches in a timely manner is essential to
   ensuring both the security of a system and the security of data within the system.
7. Multifactor authentication: Strong access controls, like multifactor authentication, can
   prevent an attack from compromising a system.
8. Daily backup of important data: The daily backup of important data has never been
   more critical, as attackers develop increasingly sophisticated ransomware tools like
   Petya and WannaCry. Daily backups of important data, and the secure storage of that
   data offline, ensure that your organisation can recover data in the event of a
   cybersecurity incident.

Following each of these steps is a good starting point to creating a secure environment for your organisation. For a deep dive into The Essential Eight, read the ASD 8 whitepaper.